Skip to Content.
Sympa Menu

cat-users - Re: [cat-users] [eduroam CAT] Windows 7 EAP-TLS authentication

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] [eduroam CAT] Windows 7 EAP-TLS authentication


Chronological Thread 
    < Chronological >      < Thread >
  • From: Sebastien Ceuterickx <address@concealed>
  • To: Tomasz Wolniewicz <address@concealed>, "address@concealed" <address@concealed>
  • Cc: Adam Wojciech Sosnowski <address@concealed>
  • Subject: Re: [cat-users] [eduroam CAT] Windows 7 EAP-TLS authentication
  • Date: Wed, 29 Jan 2014 20:33:19 +0000
  • Accept-language: en-GB, en-US
  • List-archive: <http://mail.geant.net/pipermail/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>

Thanks Tomasz. Actually your are right and your comment is very valuable.

 

We will ask advices to our security experts and come back to you.

 

Best regards,

Sebastien

 

From: Tomasz Wolniewicz [mailto:address@concealed]
Sent: 29 January 2014 16:16
To: Sebastien Ceuterickx; address@concealed
Cc: Adam Wojciech Sosnowski
Subject: Re: [cat-users] [eduroam CAT] Windows 7 EAP-TLS authentication

 

I am not sure I understand.
You would want the username to be set to address@concealed for all users?

I am not sure how RADIUS servers log things now, but it used to be that they logged by User-Name and to make sure that the User-Name fits the user cert, there was an option to compare the User-Name with one of the cert attributes. If you did not do that, then one user could claim to be another one or you would get all your authentications logged under just one user.

Specifying address@concealed does not provide any additional user privacy, of course, as the user cert is sent unencrypted.
What we do at my university is to provide our staff with pseudoanonymous certificates which only carry an assigned numebr as an ID, and no private data. The CN of the certificate is  address@concealed where xxxx is this number. Windows will extract this CN by itself and use it as User-Name, therefore our users do not even need to know this number (well at least for Windows). We think that this approach is quite tidy and safe for users, plus gives the extra security that the critical credentials like passwords cannot be compromised.

I need to check if it is possible to tell Windows what the alternative user-name should be, but I rather doubt that it can be done easily.

Tomasz



W dniu 2014-01-29 16:01, Sebastien Ceuterickx pisze:

Dear Tomasz,

 

Thank you very much for your reply. It works better. However, the alternative login name is still not set to “address@concealed”. Is there a possibility to prevent the user to do it manually?

 

Cheers,

Sebastien



-- 
Tomasz Wolniewicz    
          address@concealed        http://www.home.umk.pl/~twoln
 
Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576

Attachment: smime.p7s
Description: S/MIME cryptographic signature


Archive powered by MHonArc 2.6.19.

Top of Page